gh0strat | bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910

General

Target

bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe
Size

2.4MB
MD5

f8f76bcf92d471334e77f891c17fba64
SHA1

360ec16bba09b03ca65c00382849ebea4aeb62d3
SHA256

bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910
SHA512

70b00d97d0dacfe25ba0430172e40d6534118ff0f48d73731eaae4e1041778af7b49153df7c4e3eb1e5bb13c37635568bf6ef1ab88d317d66129fb72ac623504
SSDEEP

49152:/qvqHgWVpi0bnnVgQXDifMQ64bB5mGwFZyXD0hL5THoea:/aqHtVM2iQXtQjZAhJa

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 14 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/216-9-0x0000000010000000-0x00000000101A0000-memory.dmp	purplefox_rootkit
behavioral2/memory/216-17-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral2/memory/3208-20-0x0000000010000000-0x00000000101A0000-memory.dmp	purplefox_rootkit
behavioral2/memory/3208-28-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral2/memory/216-29-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral2/memory/2680-30-0x0000000010000000-0x00000000101A0000-memory.dmp	purplefox_rootkit
behavioral2/memory/2680-37-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral2/memory/2680-38-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral2/memory/2680-39-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral2/memory/2680-40-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral2/memory/2680-41-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral2/memory/2680-42-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral2/memory/2680-43-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit
behavioral2/memory/2680-44-0x0000000000400000-0x00000000008D9000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 14 IoCs

resource	yara_rule
behavioral2/memory/216-9-0x0000000010000000-0x00000000101A0000-memory.dmp	family_gh0strat
behavioral2/memory/216-17-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral2/memory/3208-20-0x0000000010000000-0x00000000101A0000-memory.dmp	family_gh0strat
behavioral2/memory/3208-28-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral2/memory/216-29-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral2/memory/2680-30-0x0000000010000000-0x00000000101A0000-memory.dmp	family_gh0strat
behavioral2/memory/2680-37-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral2/memory/2680-38-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral2/memory/2680-39-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral2/memory/2680-40-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral2/memory/2680-41-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral2/memory/2680-42-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral2/memory/2680-43-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat
behavioral2/memory/2680-44-0x0000000000400000-0x00000000008D9000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Executes dropped EXE 3 IoCs

pid	Process
216	Tempbkjwlkjlgk.exe
3208	NfvWne.exe
2680	NfvWne.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Delete00.bat	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe
File created	C:\Windows\SysWOW64\NfvWne.exe	Tempbkjwlkjlgk.exe
File opened for modification	C:\Windows\SysWOW64\NfvWne.exe	Tempbkjwlkjlgk.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
216	Tempbkjwlkjlgk.exe
216	Tempbkjwlkjlgk.exe
3208	NfvWne.exe
3208	NfvWne.exe
2680	NfvWne.exe
2680	NfvWne.exe
2680	NfvWne.exe
2680	NfvWne.exe
2680	NfvWne.exe
2680	NfvWne.exe
2680	NfvWne.exe
2680	NfvWne.exe
2680	NfvWne.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1172	PING.EXE
5104	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	216	Tempbkjwlkjlgk.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2836	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe
2836	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe
216	Tempbkjwlkjlgk.exe
3208	NfvWne.exe
2680	NfvWne.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 216	2836	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	94
PID 2836 wrote to memory of 216	2836	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	94
PID 2836 wrote to memory of 216	2836	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	94
PID 2836 wrote to memory of 2004	2836	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	95
PID 2836 wrote to memory of 2004	2836	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	95
PID 2836 wrote to memory of 2004	2836	bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe	95
PID 2004 wrote to memory of 1172	2004	cmd.exe	97
PID 2004 wrote to memory of 1172	2004	cmd.exe	97
PID 2004 wrote to memory of 1172	2004	cmd.exe	97
PID 216 wrote to memory of 2464	216	Tempbkjwlkjlgk.exe	99
PID 216 wrote to memory of 2464	216	Tempbkjwlkjlgk.exe	99
PID 216 wrote to memory of 2464	216	Tempbkjwlkjlgk.exe	99
PID 2464 wrote to memory of 5104	2464	cmd.exe	101
PID 2464 wrote to memory of 5104	2464	cmd.exe	101
PID 2464 wrote to memory of 5104	2464	cmd.exe	101
PID 3208 wrote to memory of 2680	3208	NfvWne.exe	102
PID 3208 wrote to memory of 2680	3208	NfvWne.exe	102
PID 3208 wrote to memory of 2680	3208	NfvWne.exe	102

C:\Users\Admin\AppData\Local\Temp\bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe
"C:\Users\Admin\AppData\Local\Temp\bcc8f86ef4ffafa186ce6fafcb1684da8e99205709e2766fdf6e9205994fc910.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Tempbkjwlkjlgk.exe
  C:\Users\Admin\AppData\Local\Tempbkjwlkjlgk.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\TEMPBK~1.EXE > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\\Delete00.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3812 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:372

C:\Windows\SysWOW64\NfvWne.exe
C:\Windows\SysWOW64\NfvWne.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SysWOW64\NfvWne.exe
  C:\Windows\SysWOW64\NfvWne.exe -acsi
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tempbkjwlkjlgk.exe

Filesize
1.6MB

MD5
171f46469609b3a91f6bd1c54b900b9c

SHA1
a03620a7725985c3a9ad5629fafc23b0ab8e76bd

SHA256
a61b23fdf8dea7d94c8e181fd81d79739fe2153055a88920bd609f881b45a5b0

SHA512
dc864caa3be54bd5bb9896f5bee716902f17f33541396e7a2ae073da51761d627083cc056e1f3900396ae3c605b39fb8ea002c5ca42bc3c082affb1f6d410796

Download Submit
C:\Windows\SysWOW64\Delete00.bat

Filesize
165B

MD5
53766b95bdf5d8680386866a156062e9

SHA1
291dc723078f239a72ab22c31ae115a763da9d53

SHA256
22fd2a084d50593b57e5473f06ed6dc6a309a52188db9687b5564f476c28d86b

SHA512
f48586ec2ecd8766cc55114d585a4ea8afb69e60a1107758177d89a29dba02bbe107809a07aa09b8895ef7b060b8017d9014b9c448472e16ee3b54ca727029c4

Download Submit
memory/216-29-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/216-4-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/216-9-0x0000000010000000-0x00000000101A0000-memory.dmp

Filesize
1.6MB

Download
memory/216-17-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/216-8-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2680-39-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2680-30-0x0000000010000000-0x00000000101A0000-memory.dmp

Filesize
1.6MB

Download
memory/2680-37-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2680-38-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2680-40-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2680-41-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2680-42-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2680-43-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2680-44-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/3208-28-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/3208-20-0x0000000010000000-0x00000000101A0000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing